Three Ways to Convince Your Superiors to Invest in Cybersecurity
Imagine that you’re a chief information security officer (CISO) for a doctor's office. You know that there are urgent cybersecurity risks facing the business: Employees are using weak passwords, contractors have access to shared passwords and outdated networking hardware contains known vulnerabilities. These are problems that take personnel, time and money to address, but if they’re not causing an immediate issue, it’s hard to justify the resources.
CISOs know that it’s always a challenge to allocate budget to cybersecurity investments — especially in small businesses that are already facing a limited budget. Management may point to existing cybersecurity software in place and the lack of a data breach as proof that the existing infrastructure is sufficient. You know that this is a flawed line of thinking, but how can you get through to them? How can you convince them to invest in cybersecurity?
Let's take a look at three ways that you can convince your superiors to invest in cybersecurity, as well as some software that can help close the gap.
Cybersecurity is a process, not a solution.
Create a New Success Metric
Many people think of cybersecurity as software that protects a business. It's easy to invest in firewall, anti-virus and other cybersecurity software and point to a lack of data breaches as proof of a successful defense. The problem with this line of thinking is that the lack of a data breach doesn't necessarily mean that there aren't any vulnerabilities – and the presence of vulnerabilities means that a data breach could be just around the corner.
It's better to think of cybersecurity as a process rather than a solution. The real success metric is the number of vulnerabilities that are identified and fixed before they lead to a costly data breach. While cybersecurity software plays a role in eliminating many vulnerabilities, it's naïve to assume that any computer system is impenetrable to attack. It’s equally important to address the human element of cybersecurity with training and best practices.
For example, spear phishing emails can easily slip past email spam filters. Without the right training, an employee working in accounts payable could easily fall victim to a convincing spear phishing email from the CEO requesting a wire transfer. There should be processes in place to ensure that employees recognize and report these kinds of vulnerabilities. A successful report represents a better success metric than the mere presence of a spam filter.
Use Narratives to Illustrate Risk
There is no shortage of cybersecurity statistics detailing the risk facing small businesses, but it's the news headlines that cause decision makers to take action — even if it's short lived. The reason is that storytelling activates sensory centers in our brain that make us relate to the story on a personal level — it places you inside of the story. This is why storytelling is so powerful when it comes to marketing and other forms of communication.
Download our free checklist of cybersecurity processes that small businesses should adopt to protect themselves.
When presenting cybersecurity concerns, it's a good idea to lead with narratives rather than numbers to better engage with your audience. You might mention that a major competitor recently suffered a data breach and use that as a lead-in to the average cost of a data breach and then the proactive prevention steps that the business could take. By relating to the initial story, decision makers may be more apt to support an investment.
You can also illustrate the risk on a personal level by targeting decision makers with cybersecurity tests. For example, you might target them in phishing or penetration testing efforts and use their response as part of a story. If they fall victim, it’s much easier to draw their attention to the potential risks and motivate them to make an investment in cybersecurity. They relate to the risks on a personal, rather than abstract, level.
Survey Peers to Challenge Assumptions
Research suggests that most executives believe that their own investments in cybersecurity are sufficient, but that few of their peers are investing enough in defenses. Obviously, all of these executives cannot be correct if the percentage of respondents with this belief exceeds 49 percent. Overconfidence in one's own cybersecurity can be a major cause for concern because it discourages further investments in improving the situation.
Don't forget to download our free checklist of cybersecurity processes that small businesses should adopt to protect themselves.
A good way to overcome this overconfidence is using peer surveys to bring real data to the table. By surveying peer investments in cybersecurity, CISOs can demonstrate where their company actually stands relative to peers. A demonstrated underinvestment in cybersecurity could prompt decision makers to revise their thoughts and justify further investment by challenging the assumptions that they might be making.
There are also several industries that have published cybersecurity guidelines and recommendations. By conducting an internal audit, you can make sure that your business is at least adhering to those guidelines in a strict sense. Many businesses unknowingly fail these guidelines that are designed to protect sensitive client information from criminals, particularly in tightly regulated markets like legal and healthcare.
The Bottom Line
Many decision makers overestimate their own company's cybersecurity defenses and may not be enthusiastic about allocating more budget to protect themselves. The good news is that there are several strategies that you can use to convince decision makers otherwise, including reframing success metrics, using narratives to illustrate risk and surveying peers to challenge assumptions about the adequacy of cybersecurity investments.
Jungle Disk provides a comprehensive cybersecurity suite that's designed for small businesses with up to 250 employees. For a single per-month, per-employee fee, you can access the software solutions that you need to protect your business from many common vulnerabilities, which frees you up to focus on employee education and other initiatives. If you’re not ready yet, take our free network scan to see how your existing defenses fare against attack.